Active Directory FSMO Roles

Flexible single-master operations (FSMO) — operations performed by the Active Directory domain controllers, which require a mandatory server uniqueness for each operation. Various FSMO types can be performed on the same or on multiple domain controllers. Server operating FSMO roles known as Operations Master DC.

Most operations in AD can be made on any domain controller. AD Replication service copies the changes to other domain controllers, ensuring the AD database identity on all the controllers of the same domain. Conflict resolution is as follows: if the two DC trying to change attributes of one AD object at the same time, automatic conflict resolution sуstem keep track of which change was made last.

However, there are several actions (such as changing the AD schema), in which conflicts are unacceptable. The task of a servers with FSMO roles is to avoid such conflicts. Thus, each FSMO role can be performed only simultaneously on one server. And if necessary, it can be transferred to another domain controller at any time.

FSMO roles

There are 5 FSMO roles: 2 unique roles for AD forest and 3 for every domain.

Recommended Best Practice for placement of FSMO roles

When you install a new AD domain, all FSMO roles are placed on a single server. According to Microsoft recommendation, the Best Practice is to spread the FSMO roles between the different domain controllers.

The forest FSMO roles should be placed on one DC, and the domain role to another. In that case, if you have only one domain controller, it is recommended to deploy 1 additional DC. Thus, in an AD domain with a minimum configuration (2 DC), you need to place FSMO role as follows:

Place the following domain roles on a DC1:

RID Master

Infrastructure Master

PDC Emulator

Place the forest roles on a DC2:

Schema Master

Domain Master

To determine current FSMO Roles holders, perform the following command:

netdom query fsmo

In this case, the FSMO roles are distributed between the two DC.

However, you should be note, that there is no FSMO role which failure would lead to a significant loss of functionality of AD. Even in case of failure of all FSMO roles, infrastructure can operate normally within a few days, weeks or even months. Therefore, if you are going to bring DC, that contains some or all of the roles to a maintenance for some time, there is no need to transfer available FSMO roles on the other DC, your AD some time will work normally.

Failure of a DCs with FSMO roles does not lead malfunction of a domain. However, it makes it impossible for many operations, actually shifting the domain to the “read-only” mode. In case of failure of a domain controller with the FSMO roles, you can resort to the procedure of seizing FSMO roles from a failed DC.